[Auth] Update perm logic for extra fields

[nezaj]

The $users create permission check used the standard rule resolution path, which falls through to $default rules before reaching the $users fallback. Apps with $default deny-all rules (common pattern) had guest auth and other signup flows rejected because the $default rule was evaluated instead of the intended $users create fallback.

Tests
Added tests for $default and the extraFields-without-rule behavior. Also updated extraFields tests to set a create rule since they now require one.

Backend changes
Changed assert-create-permission! to only check the explicit $users.allow.create rule, skipping $default paths entirely. New default user auth logic is:

• Explicit create rule exists: evaluate it
• No rule but extraFields supplied: false (prevents unvalidated writes)
• No rule, no extraFields: true

Docs/rules
Added a note in the users doc and instant-rules about extraFields requiring an explicit create rule.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 74803999-1622-45b7-8d19-4b40a89e728a

📥 Commits

Reviewing files that changed from the base of the PR and between 0978a2d and 812bed9.

📒 Files selected for processing (7)

• client/packages/create-instant-app/template/rules/AGENTS.md
• client/packages/create-instant-app/template/rules/cursor-rules.md
• client/packages/create-instant-app/template/rules/windsurf-rules.md
• client/www/lib/intern/instant-rules.md
• client/www/pages/docs/users.md
• server/src/instant/model/app_user.clj
• server/test/instant/runtime/routes_test.clj

---

📝 Walkthrough

Walkthrough

This PR enforces that extraFields writes during auth signup now require an explicit $users create permission rule. When extraFields are present but no create rule exists, signup is blocked. Server logic is updated to implement this validation, and documentation is updated across multiple locations to reflect the requirement.

Changes

Cohort / File(s)	Summary
Documentation Updates client/packages/create-instant-app/template/rules/AGENTS.md, client/packages/create-instant-app/template/rules/cursor-rules.md, client/packages/create-instant-app/template/rules/windsurf-rules.md, client/www/lib/intern/instant-rules.md, client/www/pages/docs/users.md	Updated $users permissions documentation to state that extraFields require an explicit create rule; signup is blocked if the rule is omitted.
Server Permission Logic server/src/instant/model/app_user.clj	Modified assert-create-permission! to accept has-extra-fields? parameter and deny signup when no create rule is found and extraFields are present. Updated assert-signup! to pass extraFields status to the permission check.
Test Coverage server/test/instant/runtime/routes_test.clj	Added test setup to configure $users create permissions, included test case validating magic-code signup rejection when no create rule exists but extraFields are present, and added guest signup assertions.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Add e2e tests for extraFields and consumeMagicCode #2394: Adds e2e tests that exercise extraFields signup behavior, complementing the enforcement of the $users create rule requirement.
• [Auth] Add extraFields to sign in method #2359: Directly modifies $users create permission handling and assert-create-permission!/assert-signup! logic for extraFields scenarios.

Suggested reviewers

• stopachka
• dwwoelfel

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title '[Auth] Update perm logic for extra fields' directly addresses the main change: updating the permission logic for handling extra fields in the $users create permission check.
Description check	✅ Passed	The description clearly explains the problem being fixed (permission check falling through to $default rules), the solution (checking only explicit $users.allow.create), and covers all major changes (backend logic, tests, and documentation updates).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sm-extra-fields

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

View Vercel preview at instant-www-js-sm-extra-fields-jsv.vercel.app.

[stopachka]

I wonder if we really need this distinction.

I get that it could be a surprise to users, but I also feel it's surprising that the presence or absence of extraFields changes the create rule.

cc @dwwoelfel for thoughts too

[stopachka]

SGTM!